In recent years, the number of targeted attacks aimed at a specific company or personal computers has rapidly increased, and, in particular, the number of targeted attacks (hereinafter, referred to as targeted attack mails) against companies or government organizations has rapidly increased, the targeted attacks being due to fraudulent electronic mails. The targeted attack mail is a virus mail sent for the purpose of the theft of confidential information with a specific company or organization as a target, and opening an attached file in which an illegal code is set up results in executing a fraudulent act such as the leakage of personal information.
In existing antivirus software, malicious program collation information relating to a problematic program is registered as a signature, and a program coincident therewith is detected, and hence, an infection is avoided. However, such antivirus software is not suitable for an attack mail utilizing a program having no signature. Furthermore, since it may be difficult for the antivirus software to understand that an attached file or a body text is carefully created and contrived at first glance, it may be difficult to sufficiently avert. In addition, each user is limited in strictly checking the consistency of an electronic mail header, an attached file, a body text, a sender address, and so forth.
As a countermeasure technique of the related art, there has been sending domain authentication. This is a technique for realizing the legitimacy of an outgoing mail server and the trail of a transmission path on a server basis. Specifically, the domain of an electronic mail address is checked, it is verified whether or not the electronic mail is sent from a legitimate server, and it is certified that the address of a sender is legitimate.
The types of sending domain authentication mainly include authentication due to an IP address and authentication due to an electronic signature. The former discloses, to a domain name system (DNS) server, an association (SPF record) between the domain of an electronic mail server and the IP address of a sender using a sender policy framework (SPF) and a sender ID, and makes an inquiry to the DNS server about a sender IP address at the time of receiving, and performs collation. Accordingly, the former confirms that the address of a sender is legitimate.
The latter discloses, to a DNS server, the public key information of an electronic mail server using a domain keys identified mail (DKIM), transmits an electronic mail with adding thereto an electronic signature using a secret key, makes an inquiry to the DNS server about public key information at the time of receiving, and performs collation on the electronic signature. Accordingly, the latter confirms that the address of a sender is legitimate.
A related technique has also been disclosed in Japanese Laid-open Patent Publication No. 2006-134313.
In the case of a targeted attack mail, a transmission source address is also disguised, and the targeted attack mail is disguised as being transmitted using a legitimate server. Therefore, by checking a transmission source address owing to a method of the related art, it may be difficult to ensure an identity. In addition, it is desirable that a DNS server used for detecting a targeted attack mail is installed, and an operational cost becomes large.
Objects of the present embodiment are to provide a detection method, a detection program, and a detection device, which are capable of detecting a fraudulent mail such as a targeted attack mail, on a client basis.